Attacks on computer systems are often based on exploitation of security vulnerabilities in the system's software and/or hardware. The complexity of a typical computer system means that vulnerabilities often exist even in systems that are well-designed. When a vulnerability has been found, an attacker can create malware that exploits the vulnerability to cause behaviors that can range from nuisance (e.g., minor performance degradation) to catastrophe (e.g., deletion of data).
Various mechanisms exist to protect systems against malware attacks. Anti-virus (“AV”) software uses definitions to detect signatures in existing or incoming data, and/or patterns of software behavior that are consistent with known malware. However, the ability of AV software to detect malware is based on a human analyst's having discovered the malware's tell-tale (i.e., signature) data or behavior. This discovery is made after the malware has already been observed in the wild and has infected machines. Moreover, after the signature data and/or behavior has been discovered by a human, individual machines are unprotected until a definition based on that signature has been created and distributed to client AV engines. In many cases, this process is not fast enough to protect machines. Malware may spread widely before an AV definition can be detected by human analysts and distributed to a large number of machines.
Some protection mechanisms can guard against certain classes of attacks without relying on humans to react to problems. Some operating environments may provide Data Execution Prevention (“DEP”), which allows software to declare certain memory pages as non-executable. Some attacks are based on writing malware code into data pages and then causing a program to execute code from the data pages. If the data pages have been declared non-executable by the program, then DEP may stop the program from executing if the program attempts to execute an instruction located in a data page. However, this technique does not guard against attacks that use existing code in pages that have been declared executable, such as in the case of “return to libc attacks.” Address Space Layout Randomization (“ASLR”) protects against attacks that rely on the attacker's knowledge of where certain executable code is located. In ASLR, the location of executable code is randomized, so the attacker will not know the layout in memory of processes that could be used to implement an exploit. However, ASLR may be of limited effectiveness. Even if ASLR can defeat some instances of attack, it can be shown that one may wage an attack against an ASLR-protected system, which has some probability of succeeding.
Moreover, a system has been described that detects worms based on the notion that worms infect machines through network traffic, and through data that is derived from network traffic. However, such a system does not address more general types and sources of infection.